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Abstract 


The  main  goal  of  this  project  was  to  develop  a  new  model  of  access  control  to  facilitate 
the  specification  of  policies  in  highly  dynamic  scenarios.  The  requirement  was  to  have  a 
mathematically  well  defined  model  so  that  properties  of  policies  can  be  proven,  and  so  that 
veriafiably  correct  systems  can  be  developed. 

We  have  achieved  this  general  goal:  we  have  developed  an  expressive  category-based 
metamodel  of  access  control,  which  has  a  rewrite-based  semantics  allowing  us  to  prove 
correctness  properties  of  policies.  Previously  defined  access  control  models  are  instances  of 
our  metamodel  and  in  addition  the  metamodel  encompasses  distributed  models,  as  well  as 
federative  policies  (where  a  global  access  control  policy  governing  the  federation  is  defined 
as  a  composition  of  local  policies  specified  by  individual  members  of  the  federation). 

Using  the  rewrite-based  operational  semantics  of  the  metamodel,  we  have  defined  a 
policy  composition  framework:  operators  to  combine  policies  can  be  defined  using  rules, 
and  properties  of  the  resulting  global  policy  can  be  proven  in  terms  of  the  properties  of  the 
individual  policies  in  the  combination.  We  have  also  given  a  set  of  core  axioms  to  specify 
emergency  policies  in  the  category  based  metamodel. 

In  addition,  an  extension  of  the  category  based  access  control  metamodel  has  been 
proposed  to  include  obligations.  The  extended  metamodel  allows  security  administrators 
to  check  whether  a  policy  combining  authorisations  and  obligations  is  consistent.  This  is 
particularly  important  in  the  context  of  emergency  management. 

We  have  defined  a  graphical  representation  of  category-based  policies,  and  shown  how 
answers  to  usual  administrator  queries  can  be  automatically  computed,  and  properties  of 
access  control  policies  can  be  checked. 

The  results  obtained  in  the  project  have  been  presented  in  international  conferences  and 
published  in  peer-reviewed  conference  proceedings  and  in  international  journals. 

We  are  grateful  for  the  financial  support  provided  by  AFOSR  and  EOARD  in  relation 
to  Grant  FA8655-10- 1-3047.  We  thank  Dr  James  Lawton  for  his  always  excellent  support 
and  advice. 
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1  Introduction 


Access  control  policies  specify  which  actions  users  are  authorised  to  perform  on  protected 
resources.  An  authorisation  may  entail  an  obligation  to  perform  another  action  on  the  same 
or  another  resource.  Standard  languages  for  the  specification  of  access  control  policies  include 
also  a  number  of  primitives  to  specify  obligations  associated  with  authorisations.  For  example, 
within  XACML,  an  obligation  is  a  directive  from  the  Policy  Decision  Point  (PDP)  to  the  Policy 
Enforcement  Point  (PEP)  specifying  an  action  that  must  be  carried  out  before  or  after  an  access 
is  approved.  If  the  PEP  is  unable  to  comply  with  the  directive,  the  access  might  not  be  realised, 
even  if  it  is  authorised.  Given  the  complexities  involved  in  the  dehnition  of  access  control  and 
obligation  policies  for  command  and  control  applications,  formal  methods  to  analyse  and  reason 
about  policies  are  essential.  This  is  particularly  important  in  the  case  of  systems  dealing  with 
access  control  in  the  context  of  emergency  situations,  where  users’  rights  and  obligations  may 
need  to  change  in  order  to  cope  with  specific  emergencies. 

In  this  project  we  have  addressed  these  issues  by  developing  a  category-based  metamodel  for 
access  control,  which  identifies  a  core  set  of  principles  of  access  control,  abstracting  away  many 
of  the  complexities  that  are  found  in  specific  access  control  models  in  order  to  simplify  the  tasks 
of  policy  writing  and  policy  analysis.  A  key  aspect  of  the  metamodel  is  to  focus  attention  on 
the  notion  of  a  category.  A  category  is  a  class  of  entities  which  share  some  property.  Classic 
types  of  groupings  used  in  access  control,  like  a  role,  a  security  clearance,  a  discrete  measure  of 
trust,  etc.,  are  particular  instances  of  the  more  general  notion  of  category.  In  category-based 
access  control  (CBAC)  policies,  permissions  are  assigned  to  categories  of  users,  rather  than  to 
individual  users.  Categories  can  be  defined  on  the  basis  of  e.g.,  user  attributes,  geographical 
constraints,  resource  attributes.  In  this  way,  permissions  can  change  in  an  autonomous  way 
(e.g.,  when  a  user  attribute  changes),  unlike,  e.g.,  role-based  access  control  models,  which  require 
the  intervention  of  a  security  administrator.  The  category-based  metamodel  does  not  make  any 
specihc  assumptions  on  the  components  of  the  system.  It  is  an  abstract  model  of  access  control 
and  obligations  that  can  be  instantiated  in  various  ways  to  satisfy  specific  requirements. 

The  category-based  metamodel  for  access  control  has  been  equiped  with  a  rewriting  semantics, 
which  allows  us  to  study  implementations  (rewriting  provides  an  operational  semantics  for 
polices)  and  to  prove  properties  of  the  policies.  It  is  expressive:  we  have  shown  that  all  the 
access  control  models  that  are  currently  in  use  can  be  specified  as  instances  of  the  metamodel. 
To  accomodate  obligations,  the  metamodel  has  been  extended  and  examples  of  policies  have 
been  developed  in  the  context  of  emergency  management. 

In  critical  domains,  such  as  policies  for  command  and  control,  it  is  highly  desirable  that  access 
control  models  and  policies  be  mathematically  well  dehned  so  that  properties  of  policies  can  be 
verihed.  Formal  methods  to  analyse  and  reason  about  policies  are  essential  for  systems  dealing 
with  access  control  in  the  context  of  emergency  situations,  where  users’  rights  may  need  to 
change  in  order  to  cope  with  specific  emergencies.  The  rewrite-based  operational  semantics  for 
the  category-based  metamodel  allows  us  to  use  standard  rewriting  tools  (such  as  CiME,  Maude, 
Aprove,  TTT,  etc.)  to  verify  security  policies,  e.g.,  to  ensure  that  each  access  request  has  a 
unique  answer  (the  latter  is  proved  by  checking  the  confluence  and  termination  of  the  rewrite 
relation,  which  the  above  mentioned  tools  do). 
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2  Main  Results 


The  main  results  obtained  in  this  project  are: 

1.  We  defined  the  distributed  category-based  access  control  metamodel,  and  provided  a  rewrite- 
based  operational  semantics,  which  can  be  used  to  model  single  access  control  policies  or 
distributed  (federative)  policies  defined  as  a  combination  of  local  policies.  The  access 
control  metamodel  was  presented  in  [3].  The  extension  to  deal  with  distributed  policies 
is  presented  in  [4],  where  a  declarative,  rewrite-based  operational  semantics  is  given.  Dis¬ 
tributed  systems  are  seen  as  federations  in  which  each  component  preserves  its  autonomy: 
the  metamodel  provides  mechanisms  to  define  combinations  of  policies,  by  defining  gen¬ 
eral  policy-combining  operators,  with  a  formal  operational  semantics  for  access  request 
evaluation  in  centralised  as  well  as  in  distributed  contexts  where  information  is  shared. 
The  metamodel  includes  mechanisms  for  the  resolution  of  conflicts  between  local  and 
global  policies. 

2.  We  have  incorporated  the  notion  of  obligation  in  the  metamodel.  To  specify  dynamic 
policies  involving  authorisations  and  obligations  in  the  metamodel,  we  adjusted  the  no¬ 
tion  of  an  event  used  in  previous  work,  and  described  a  set  of  core  axioms  for  defining 
obligations.  In  addition,  we  provide  a  rewrite-based  operational  semantics  for  the  ex¬ 
tended  metamodel,  which  can  be  used  to  specify  policies  and  derive  implementations. 
The  rewrite-based  semantics  specifies  how  authorisations  and  obligations  are  evaluated, 
and  includes  mechanisms  for  the  resolution  of  conflicts  between  authorisations  and  obli¬ 
gations.  These  results  are  published  in  [1]. 

3.  Based  on  the  metamodel,  we  have  defined  a  graphical  framework  for  the  analysis  of  policies 
that  aims  at  easing  the  specification  and  verification  tasks  for  security  administrators. 
Using  a  visual  representation  of  policies,  we  show  how  answers  to  usual  administrator 
queries  can  be  automatically  computed,  and  properties  of  access  control  policies  (such  as, 
every  access  request  receives  a  unique  answer)  can  be  checked.  For  example,  the  fact  that 
the  policy  ensures  a  “separation  of  duty”  constraint  (where  no  user  should  be  allowed  to 
perform  two  conflicting  actions  on  the  same  resource),  can  be  easily  proved  using  graph- 
based  algorithms  and  rewriting  techniques.  We  show  applications  of  the  framework  to 
the  analysis  of  policies  in  distributed  environments,  and  in  particular  policies  that  include 
management  of  rights  in  emergency  situations.  These  results  are  published  in  [2]. 

In  addition,  the  following  results  have  been  implemented  by  students  at  King’s  College  London, 
as  part  of  their  final  year  projects  (supervised  by  M.  Fernandez). 

1.  Distributed  category  based  access  control  (item  1  above):  this  has  been  applied  in  three 
individual  UG  projects,  where  students  implemented  access  control  policies  for  a  bank,  a 
hotel  and  a  hospital. 

2.  Event  handler  for  emergency  policies  (item  2  above):  this  has  been  implemented  in  two 
UG  projects,  one  project  developed  a  category-based  access  control  system  for  a  hospital, 
the  other  focused  on  the  infrastructure  required  for  the  event  processing  (dealing  with 
mechanisms  to  obtain  and  process  data  that  trigger  the  application  of  emergency  policies) . 
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3.  Policy  Manager;  a  graphical  environment  for  the  analysis  of  policies  (item  3  above)  was 
implemented  in  Ruby  as  part  of  an  UG  project. 

3  Publications 

For  more  details  on  the  work  described  in  this  report,  we  refer  to  the  annual  reports  (submitted 
in  August  2011,  2012,  2013,  2014)  and  to  the  following  publications^  (attached). 

•  Clara  Bertolissi,  Maribel  Fernandez.  A  metamodel  of  access  control  for  distributed  en¬ 
vironments;  Applications  and  properties.  Information  and  Computation  238;  187-207 
(2014).  Elsevier. 

•  S.  Alves,  A.  Degtyarev,  M.  Fernandez.  Access  control  and  obligations  in  the  category- 
based  metamodel;  a  rewrite-based  semantics.  Proceedings  of  LOPSTR  2014,  Logic-Based 
Program  Synthesis  and  Transformation  -  24th  International  Symposium,  Canterbury,  UK. 
September  2014.  Proietti,  Maurizio,  Seki,  Hirohisa  (Eds.),  Lecture  Notes  in  Computer 
Science,  Vol.  8981.  Springer,  2015. 

•  S.  Alves,  M.  Fernandez.  A  Framework  for  the  Analysis  of  Access  Control  Policies  with 
Emergency  Management.  Proceedings  of  LSEA  2014,  9th  Workshop  on  Logical  and  Se¬ 
mantic  Erameworks,  with  Applications,  Brasilia,  Brazil,  September  2014.  Electronic  Notes 
in  Theoretical  Computer  Science  (to  appear). 

4  Conclusions  and  future  work 

The  access  control  metamodel  developed  in  this  project  is  expressive  enough  to  deal  with  most 
of  the  features  relevant  to  authorisations  and  obligations  and  provides  means  to  reason  about 
them.  We  consider  that  the  project  has  achieved  all  its  aims,  however,  some  important  issues 
need  to  be  further  developed;  the  typing  relation  for  events  (e.g.,  to  identify  events  that  trigger 
emergency  policies),  the  dehnition  of  mechanisms  to  deal  with  accountability  in  case  of  failed 
obligations,  and  various  types  of  administrative  updates  on  policies  (e.g.,  delegation  of  rights). 
These  are  topics  for  future  research. 

We  also  wish  to  provide  more  mechanisms  for  analysing  dynamic  properties  of  policies  and 
helping  administrators  to  develop  and  manage  policy  updates.  With  this  aim  in  view,  we 
plan  to  develop  a  version  of  the  Policy  Manager  tool  within  PORGY,  an  environment  we  are 
developing  to  provide  visualisation  and  simulation  features  for  systems  specihed  via  port-graph 
rewriting. 
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